Bug#881143: fig2dev: out of bound read while running fig2dev with -L tikz

[Thomas Loimer]

Naive me! The fscanf() function is able to read in all sort of garbage.
Really, this issue points to a bigger problem. A lot more checks have to 
be added to sanitize input, both in read.c and read1_3.c. Nevertheless,
here is a patch that solves the specific issue reported here and the 
related one in bug #881144. The diff was taken from my development 
version, hope it applies cleanly.



diff --git a/fig2dev/read.c b/fig2dev/read.c
index f281b33..eea815c 100644
--- a/fig2dev/read.c
+++ b/fig2dev/read.c
@@ -1326,8 +1326,14 @@ read_textobject(FILE *fp)
| PSFONT_TEXT;

/* keep the font number reasonable */
-   if (t->font > MAXFONT(t))
+   if (t->font > MAXFONT(t)) {
t->font = MAXFONT(t);
+   } else if (t->font < 0 ) {
+   if (psfont_text(t) && t->font < -1)
+   t->font = -1;
+   else
+   t->font = 0;
+   }
fix_and_note_color(>color);
t->comments = attach_comments();/* attach any comments */
return t;
diff --git a/fig2dev/read1_3.c b/fig2dev/read1_3.c
index 41c0a72..acfca95 100644
--- a/fig2dev/read1_3.c
+++ b/fig2dev/read1_3.c
@@ -470,7 +470,16 @@ read_textobject(FILE *fp)
free((char*) t);
return(NULL);
}
+   /* keep the font number within valid range */
+   if (t->font > MAXFONT(t)) {
+   t->font = MAXFONT(t);
+   } else if (t->font < 0 ) {
+   if (psfont_text(t) && t->font < -1)
+   t->font = -1;
+   else
+   t->font = 0;
+   }
(void)strcpy(t->cstring, buf);
if (t->size == 0) t->size = 18;

Bug#881143: fig2dev: out of bound read while running fig2dev with -L tikz

[Roland Rosenfeld]

Thomas Loimer schrieb am Mittwoch, den 08. November 2017:

> thank you for the bug report. This specific issue is quite easy to
> resolve, since the position in the code where this bug is triggered
> is indicated,

I'm happy to receive a patch or an update :-)

> Do you know, in which way fig2dev is used by some printer drivers?

The Debian packages printfilters-ppd, magicfilter and apsfilter depend
or suggest the transfig package (needs to be renamed, but the new
fig2dev already provides transfig, so this still works).

magicfilter internally runs "/usr/bin/fig2dev -Lps -P -l dummy" if
someone tries to print a file that has a #FIG header.

apsfilter calls "fig2dev -Lps -c -z "$PAPERSIZE" | print_ps" to print
fig-Files (file detection via file(1)).

In printfilters-ppd I cannot find the fig2dev call.  The packages
depends on transfig (not only a suggest), but it seems that the build
mechanism is somewhat broken, so it isn't included...

Greetings
Roland

Bug#881143: fig2dev: out of bound read while running fig2dev with -L tikz

[Joonun Jang]

Package: fig2dev
Version: 1:3.2.6a-4
Severity: important
Tags: security

out of bound read while running fig2dev with -L tikz option

Running 'fig2dev -L tikz poc' with the attached file raises out of bound read 
bug
which may allow a remote attack to cause a denial-of-service attack or 
information
disclosure with a crafted file.

I expected the program to terminate without segfault, but the program crashes 
as follow

I sent this to debian security team before, but I didn't get any response.
So I send this to public.

===
june@june:~/project/analyze/poc/fig2dev/crash1$ fig2dev -L tikz poc
\ifx\XFigwidth\undefined\dimen1=0pt\else\dimen1\XFigwidth\fi
\divide\dimen1 by 1
\ifx\XFigheight\undefined\dimen3=0pt\else\dimen3\XFigheight\fi
\divide\dimen3 by 5
\ifdim\dimen1=0pt\ifdim\dimen3=0pt\dimen1=-9223372036854775808sp\dimen3\dimen1
\else\dimen1\dimen3\fi\else\ifdim\dimen3=0pt\dimen3\dimen1\fi\fi
\tikzpicture[x=+\dimen1, y=+\dimen3]
{\ifx\XFigu\undefined\catcode`\@11
\def\temp{\alloc@1\dimen\dimendef\insc@unt}\temp\XFigu\catcode`\@12\fi}
\XFigu-9223372036854775808sp
% Uncomment to scale line thicknesses with the same
% factor as width of the drawing.
%\pgfextractx\XFigu{\pgfqpointxy{1}{1}}
\ifdim\XFigu<0pt\XFigu-\XFigu\fi
\clip(91,-1) rectangle (92,4);
\tikzset{inner sep=+0pt, outer sep=+0pt}
Segmentation fault

[debugging]
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x77339d78 in _IO_vfprintf_internal (s=0x7768b600 
<_IO_2_1_stdout_>,
format=, ap=ap@entry=0x7fffde88) at vfprintf.c:1637
#2  0x77340157 in __fprintf (stream=,
format=format@entry=0x555cc7e5 "\\normalfont%s ") at fprintf.c:32
#3  0x555b4615 in put_font (t=0x55810160) at gentikz.c:1725
#4  gentikz_text (t=0x55810160) at gentikz.c:1769
#5  0x555618cd in gendev_objects (dev=0x557f8ec0 , 
objects=0x7fffdfa0)
at fig2dev.c:833
#6  main (argc=, argv=) at fig2dev.c:467
(gdb) x/i $rip
=> 0x77371646 :  movdqu (%rax),%xmm4
(gdb) i r rax
rax0x29292922 690563362
(gdb) f 3
#3  0x555b4615 in put_font (t=0x55810160) at gentikz.c:1725
1725fprintf(tfp, "\\normalfont%s ",
(gdb) p t->font
$1 = -51
(gdb) p texfonts[-51]
$3 = 0x29292922 

with attached file, t->font can be set to negative value which causes this bug
[fig2dev/dev/gentikz.c]
1724   else
1725   fprintf(tfp, "\\normalfont%s ",
1726 texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);

===

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk 1:4.1.4+dfsg-1
ii  libc62.24-17
ii  libpng16-16  1.6.34-1
ii  libxpm4  1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.22~dfsg-1
ii  netpbm   2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  

-- no debconf information

 1  1

1

11 4-51

11 0 5
1
91
1 
c